A long-running standoff between Facebook and Canada’s privacy commissioner is heading to Federal Court after a scathing report from the privacy watchdog said the company “outright rejected” guidance that would bring it into compliance with Canada’s privacy laws.

Privacy Commissioner Daniel Therrien said the situation also highlights the lack of enforcement tools at his disposal. His office does not have the ability to levy fines or order companies to produce evidence, unlike other privacy watchdogs around the world. With no deterrent, Therrien said it allows companies to simply disregard his rulings.

In effect, Therrien said Facebook is saying, “thank you very much for your conclusion on matters of law, but we actually disagree and we will actually continue as we were.”

“It’s completely unacceptable,” Therrien said, at a news conference in Ottawa on Thursday.

The report, written in conjunction with the privacy commissioner for British Columbia, says that Facebook failed to get meaningful consent from users installing third party apps and from users who would be affected by apps installed by their friends, a key feature exploited in the Cambridge Analytica breach, the report reads. The data in question was from a third-party quiz app that sucked up data from participating users and their friends, and was then passed along to the political consultancy firm.

Cambridge Analytica drew worldwide condemnation and sanctions from privacy watchdogs and the scandal grew into a global controversy for Facebook about how it protects users’ privacy.

The privacy commissioner’s report also said that Facebook didn’t safeguard user data and shifted accountability to users and app-makers. “The sum of these measures resulted in a privacy protection framework that was empty,” the report says.

Facebook said it took the investigation seriously and is surprised that the privacy commissioner is taking it to the courts.

“After many months of good-faith cooperation and lengthy negotiations, we are disappointed that the OPC considers the issues raised in this report unresolved. There’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information,” Facebook spokesperson Erin Taylor said in an emailed statement.

The privacy commissioner’s report came on the heels of news Wednesday that Facebook was expecting a fine ranging from US$3 billion to US$5 billion as a result of an investigation by the Federal Trade Commission in the United States. That investigation stemmed from the Cambridge Analytica breach and other privacy breaches in the last several years.

Meanwhile, New York Attorney General Letitia James said she is investigating Facebook unauthorized storage of up to 1.5 million Facebook users’ email contact databases.

Last week, Facebook said it may have “unintentionally uploaded” email contacts of up to 1.5 million new users since May 2016, adding that the “contacts were not shared with anyone and we are deleting them.”

James called the disclosure “the latest demonstration that Facebook does not take seriously its role in protecting our personal information.”

“It is time Facebook is held accountable for how it handles consumers’ personal information,” she added.

Privacy advocates in Canada have pointed to the European Union’s General Data Protection Regulation, or GDPR, as the gold standard for privacy rules, partly because it allows countries to levy fines as a percentage of a company’s revenue. Google, for example, was fined 50 million Euros — about $75 million — for not providing enough information to users about its data consent policies.

The GDPR also gives users more control over the information they provide to companies and a “right to be forgotten,” which allows people to have search engine entries removed.

Karen Eltis, a University of Ottawa law professor specializing in internet law and privacy, said Canada’s ombudsman approach strikes a useful balance between the rigid EU rules and the looser system in the U.S.

“Does the privacy commissioner need greater powers in the absence of cooperation? I think that’s correct,” said Eltis, but she warned that it could push Canada away from its cooperative model and towards a more punitive one that isn’t necessarily more effective. Eltis pointed out that laying all the onus on corporations runs the risk that they’ll just opt out, like Google did with Canada’s new political advertising rules, arguing the policy was too onerous and choosing instead to simply ban all political ads.

“The privacy commissioner is rightfully frustrated,” said Eltis. “The system has to evolve to fit the current reality.”

Therrien also reiterated a call for political parties to be brought under Canada’s privacy laws, especially with ongoing threats to elections in western democracies, including the high-profile meddling in the 2016 election in the United States.

Political parties will be a primary target for bad actors like Cambridge Analytica, he said, so it’s important that they secure data properly. The House of Commons ethics and privacy committee has also advised the government to bring political parties under the existing privacy regime, with no success.

“There is an important risk,” to the election, Therrien said, but he’s been encouraged by signs that Facebook is cooperating with the government and that the government seems to be considering beefed up privacy legislation. Therrien said he expected that real movement would begin on these issues after the October election and a new legislative session starts.

Therrien also revealed that he has no personal Facebook account and that his office previously had a promotional page on the platform but removed it in the wake of this investigation.

“We do not want to continue to be associated with an organization that we found to be irresponsible,” said Therrien.